1 Reply Latest reply on Dec 26, 2014 12:48 PM by choly

    NetFlow calculation mismatch

    felix.rio

      We use Orion NPM in our environment, there is a strange issue I found when I was doing a analysis against a NetFlow node.

       

      The top 5 protocol graph for day 1, that gives you a total TCP traffic of 32.3GB

      15_11_12.png

       

      Day 2 presents a total TCP traffic of 35.8GB

      16_11_12.png

       

      A report across 2 days however, shows a total TCP traffic of 50.9GB only. Why not 32.3+35.8=68.1GB?

      15-16_11_12.png

       

      Is that any reason the 2 days report is 13GB out of sync with the sum of day 1&2?

       

      I have checked data summarization, they are on default settings according to the help menu. I have also picked some random nodes and do the same analysis, the results are all appeared to be mismatched.

       

      Is anyone came across similar problem would like to share some comments please?

       

      Thanks

      Felix

        • Re: NetFlow calculation mismatch
          choly

          Hi Felix,

          I know this is a little bit tricky, but let me explain that:

          When resource is loading, it needs at least two amounts of bytes in two different times to construct a chart (otherwise the chart will always start in 0 value). It is better visible when you switch chart to show amount of data instead of rate - you will see that values on side of the chart would be (in you case) about 15GB and 17GB, giving 32
          GB in total.

          Well, what does it mean? NTA charts are not able to show you 1 day for the granularity you have, because 1 day, means one sample. As you need at least two, it takes a previous day sample as well - effectively showing you 2 days (one 15GB and one 17GB). Same for the second chart, where values will be something like 17GB and 19GB giving 35GB together.

          But when you ask for two days in last chart, returned values will be for three days - i.e. 15GB, 17GB, 19GB, which makes 51GB in total and hopefully explaining  that 17GB difference you are observing when you compare those charts (as you was adding (15 + 17) + (17 + 19) GB).

           

          (All of that applies also for rate, just amount of data is divided by elapsed time in seconds giving you rate.)

           

          Did that helped?